OAuth Implementer

OAuth Implementer generates correct, secure OAuth 2.0 and OpenID Connect implementations. OAuth is notoriously easy to implement insecurely — this skill enforces the security requirements that the spec mandates but developers often overlook.

Flows Supported

Authorization Code + PKCE (Recommended for Web and Mobile) 1. Generate `code_verifier` (cryptographically random, 43-128 chars) 2. Compute `code_challenge = BASE64URL(SHA256(code_verifier))` 3. Authorization request with `code_challenge` and `code_challenge_method=S256` 4. Token exchange with `code_verifier` for validation 5. Server-side `state` parameter validation (CSRF protection)

Client Credentials (Machine-to-Machine) Backend services authenticating to APIs without user involvement. Includes token caching to avoid re-fetching valid tokens.

Device Authorization Grant For CLI tools and TV apps without browser access.

Provider Configurations

• Pre-configured for:
• Google — `accounts.google.com` endpoints, `openid email profile` scopes, JWKS verification
• GitHub — OAuth App vs GitHub App distinction, user email API call required
• Microsoft Azure AD — tenant-specific endpoints, Graph API integration
• Auth0 — custom domain, audience parameter
• Generic OIDC — discovery document parsing (`/.well-known/openid-configuration`)

Security Checks Enforced

• `state` parameter generated and validated on every authorization request
• Token stored in HttpOnly, Secure, SameSite=Strict cookie (not localStorage)
• Token expiry checked before every API call
• `id_token` signature verified using provider's JWKS endpoint
• Redirect URI exact match (no wildcard, no substring match)

Framework Integrations

• Next.js with NextAuth.js / Auth.js
• Express.js with passport-oauth2
• FastAPI with Authlib
• Go with golang.org/x/oauth2